OSDOCS-16585 created doc for config network policy for operand

_topic_maps/_topic_map.yml

@@ -1256,6 +1256,8 @@ Topics:
     File: external-secrets-operator-release-notes
   - Name: Installing the External Secrets Operator
     File: external-secrets-operator-install
+  - Name: Configuring Network Policy for the Operand
+    File: external-secrets-operator-config-net-policy
   - Name: Uninstalling the External Secrets Operator
     File: external-secrets-operator-uninstall
   - Name: External Secrets Operator APIs

modules/external-secrets-operator-egress-allow-all-traffic.adoc

@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-install.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-operator-egress-allow-all-traffic_{context}"]
+= Adding a custom network policy to allow egress to all external providers
+
+You must configure custom policies through the `ExternalSecretsConfig` custom resource to allow all egress to all external providers.
+
+.Prerequisites
+
+* An `ExternalSecretsConfig` must be predefined.
+
+* You must be able to define specific egress rules, including desitination ports and protocols
+
+.Procedure
+
+. Edit the `ExternalSecretsConfig` CR by running the following command:
++
+[source,terminal]
+----
+$ oc edit externalsecretsconfigs.operator.openshift.io cluster
+----
+
+. Set the policy by editing the `networkPolicies` section:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+metadata:
+  name: cluster
+spec:
+  networkPolicies:
+    - name: allow-external-secrets-egress
+      componentName: CoreController
+      policyTypes:
+        - Egress
+      egress: # Allow all egress traffic
+----

modules/external-secrets-operator-egress-specific-provider.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-install.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="external-secrets-operator-egress-specific-provider_{context}"]
+= Adding a custom network policy to allow egress to a specific provider
+
+You must configure custom policies through the `ExternalSecretsConfig` custom resource to allow all egress to a specific provider.
+
+.Prerequisites
+
+* An `ExternalSecretsConfig` must be predefined.
+
+* You must be able to define specific egress rules, including desitination ports and protocols
+
+.Procedure
+
+. Edit the `ExternalSecretsConfig` CR by running the following command:
++
+[source,terminal]
+----
+$ oc edit externalsecretsconfigs.operator.openshift.io cluster
+----
+
+. Set the policy by editing the `networkPolicies` section. The following example shows how to allow egress to {aws-first} endpoints, the Kubernetes API server, and the Domain Name Service (DNS).
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: ExternalSecretsConfig
+metadata:
+  labels:
+    app.kubernetes.io/name: cluster
+    app.kubernetes.io/managed-by: external-secrets-operator-e2e
+  name: cluster
+spec:
+  controllerConfig:
+    networkPolicies:
+      - name: allow-external-secrets-egress
+        componentName: ExternalSecretsCoreController
+        egress:
+          # Allow egress to Kubernetes API server, AWS endpoints, and DNS
+          - to: []
+            ports:
+              - protocol: TCP
+                port: 6443  # Kubernetes API
+              - protocol: TCP
+                port: 443   # HTTPS (AWS Secrets Manager)
+----
+
+componentName:: name for the core controller specified as `ExternalSecretsCoreController`.
+
+Egress rules must include the necessary ports, such as Transmission Control Protocol (TCP) port 6443 for the Kubernetes API and TCP port 443 (HTTPS) for services like the {aws-short} Secrets Manager.
+

modules/external-secrets-operator-ingress-egress-rules.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// * security/external_secrets_operator/external-secrets-operator-install.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="external-secrets-operator-ingress-egress-rules_{context}"]
+= Default ingress and egress rules
+
+The following table summarizes the default ingress and egress rules.
+
+[cols="1,1,1,1",options="header"]
+|===
+| Component
+| Ingress ports
+| Egress ports
+| Description
+
+| `external-secrets`
+| 8080
+| 6443
+| Accesses metrics and communicates with the API server
+
+| `external-secrets-webhook`
+| 8080/10250
+| 6443
+| Accesses metrics, webhook, and communicates with the API server
+
+| `external-secrets-cert-controller`
+| 8080
+| 6443
+| Accesses metrics and communicates with the API server
+
+| `external-secrets-bitwarden-server`
+| 9998
+| 6443
+| Accesses the `bitwarden-server` and communicates with the API server
+
+| `external-secrets-allow-dns`
+|
+| 5353
+| Allow DNS ports which enables DNS resolution for external secret providers
+|===

security/external_secrets_operator/external-secrets-operator-config-net-policy.adoc

@@ -0,0 +1,20 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="external-secrets-operator-config-net-policy"]
+= Configuring network policy for the operand
+include::_attributes/common-attributes.adoc[]
+:context: external-secrets-operator-uninstall
+
+toc::[]
+
+The {external-secrets-operator} includes pre-defined `NetworkPolicies` for security, but you must configure additonal, custom policies through the `ExternalSecretsConfig` custom resource to set the external-secrets controller egress allow policies to communicate with external providers. These configurable policies are set via the `ExternalSecretsConfig` custom resource to establish the egress allow policy.
+
+// Adding network policy to connect to permit all egress traffic
+include::modules/external-secrets-operator-egress-allow-all-traffic.adoc[leveloffset=+1]
+
+// Adding network policy to connect to a specific provider
+include::modules/external-secrets-operator-egress-specific-provider.adoc[leveloffset=+1]
+
+// Default ingress and egress rules
+include::modules/external-secrets-operator-ingress-egress-rules.adoc[leveloffset=+1]
+
+